Samba AD/DC integration

  • Hi all,
    this is my 1st post, so please bear with me. Also, English is not my native language so, again, "beer" with me.
    To the point.
    I'm trying to integrate OMV on my Samba AD domain. Shouldn't be too difficult. However, my preliminary trials failed one way or the other.
    So, before I start the painstaking process of wall head-banging, I've looked around for some how-to's and found
    Active Directory / LDAP Revisited
    and
    Join a Windows 2008 R2 domain
    but those are for windoze AD's. Although a lot of those 2 guides actually apply to my environment, they are not what I had in mind.
    Also
    https://howto-it.dethegeek.eu.…_et_partager_via_CIFS/SMB
    but that is OLD news!


    So, bottom line, any guides out there for a lazy guy like me?
    Best regards

  • Thank you Donh for your answer and for the "Active Directory / LDAP Revisited". FYI *YOU* started this .
    Also dethegeek had a major role on the following with his "Join a Windows 2008 R2 domain". A lot of the following is copied from his post.
    Anyway, before trying realmd or sssd, I wanted to see if I could do it using plain winbind that comes with samba. It's now working but not in production. Here are my findings.


    Disclaimer: This is NOT an how-to; it's a working document I wrote to help me remember stuff for when I get in to production with OMV4. Some may find it helpfull, useless, wrong or great; I don't care. Some may choose to use it; I don't care. I do care if you do give usefull feedback that improves on this.


    1) The system :2 virtual machines (Oracle VM Virtual Box). One for the samba AD-DC server, another for OMV, both on Debian Stretch (SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux). Both are purely test machines.
    a) Openmediavault - Self compiled OMV Arrakis 4.0.14.1. Pretty basic (whatever that means) installation. Extrasorg 4.1.1 and LuksEncryption 3.0.2 plugins installed. Static IP. No reason why it shouldn't work on OMV3.
    b) The samba Server - Self compiled Samba 4.6.8. Again, pretty basic AD-DC installation as per the samba wiki using bind9 (9.10.3) as DNS.
    A few remarks (all this is not part of the "basic" installation and MAY have some effect on the outcome; point (iv) is VERY important):
    i) Disabled avahi-daemon. Hate that piece of ****
    ii) No firewall or apparmour
    iii) Machine is also dhcp server and gateway
    iv) winbind correctly configured. More on this later on
    v) I bet the Internal_DNS (as opposed to bind) would work just as well but didn't test (yet). Whatever option you use, check DNS resolution works
    vi) Dynamic DNS updates configured in dhcpd.conf. Not needed, but still...


    Some details on the samba server configuration (SAMDOM is just an EXAMPLE. Replace as needed):
    a)My smb.conf:


    b) samba has it's own winbind(d) service. Use it. Remember to modify /etc/nsswitch.conf. Check that wbinfo -u resolves your domain users.


    Up to this point, everything is done according to the samba wiki in order to have a functional samba AD-DC server and has nothing to do with openmediavault. I can provide more details upon request.
    Now, for the OMV part.


    1) I'm lazy. I run everything as su except if otherwise required. if you're a proper sysadmin you'll have to add sudo to the following commands. I did this using ssh but the omv shell should work as well
    1.1) CAPS MATTER!!! specially as far as kerberos is concerned.
    1.2) Disable current samba server. On systemd:


    Code
    systemctl stop samba-ad-dc
    systemctl disable samba-ad-dc

    2)

    Code
    apt-get install winbind libpam-winbind libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools

    Some of the previous may be redundant.


    3) I also like to apt-get install htop iftop ethtool iperf3. Not needed though.


    4) Stop, disable AND mask avahi-daemon


    5) on OMV/Services/SMBCIFS:
    i) enable the service
    ii) Put SAMDOM on the Workgroup line
    iii) Add the following to "extra options"

    Code
    realm = SAMDOM.EXAMPLE
    winbind nss info = template
    server role = member server
    idmap config* :backend = tdb
    idmap config* :range = 3000-7999
    idmap config SAMDOM :backend = rid
    idmap config SAMDOM :range = 10000-999999
    winbind enum groups = yes
    winbind enum users = yes

    iv) edit /etc/krb5.conf. it should be similar to:

    Code
    [libdefaults]
    default_realm = SAMDOM.EXAMPLE
    dns_lookup_realm = false
    dns_lookup_kdc=true


    Again, a few remarks.
    1) I'm using the rid backend. Guess it should work with any backend but I didn't test.
    2) the range values are pretty standard, but must be configured according to your samba installation
    3) make sure /etc/hosts doesn't contain a line starting with 127.0.1.1 (debian's nasty habit IMHO)
    4) make sure /etc/resolv.conf points to your samba server
    5) make sure /etc/nsswitch.conf contains winbind both on the passwd: and group:
    6) in /etc/default/winbind uncomment the line WINBINDD_OPTS = "-n"


    Let's move on
    1) create winbind links. According to samba wiki

    Code
    ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/
    ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
     ldconfig

    2) Start services. On systemd do:

    Code
    systemctl enable nmbd
    systemctl start nmbd

    rinse and repeat for smbd.


    At this point you should reboot.
    3) After that check that smbd and nmbd are running and start winbind:

    Code
    systemctl status smbd
    systemctl status nmbd
    systemctl start winbind
    systemctl enable winbind
    systemctl status winbind

    4)

    Code
    kinit administrator

    5)

    Code
    net ads join -U administrator

    6) by now, getent passwd should resolve your domain users. It may take a while depending on domain size, server load, and Jupiter's alignment with Mercury.
    7) If you go to OMV/Access Rights Management/User, you should see your domain users. Same in Groups.
    8.) You can now configure access to your Shared Folders. job done


    Care to comment?
    Best regards

    4 Mal editiert, zuletzt von camjesus2 () aus folgendem Grund: Errors corrected and typos "untyped"

    • Offizieller Beitrag

    It has worked like that for years. The current ldap plugin works like that also. There is nothing wrong with it either. If you know all the info and where to put it, it's fine. Just search here and around the web to see how many have problems. Google will return many thousands. sssd and realmd were made to help this by automating at least some of it. This should make it easier for casual users and be easier to support.


    If I had the skill to write a plugin I would. The script is a crude attempt to make it easier for some. I welcome improvements from others who are more elegant than I.

  • You're right of course. There is nothing essentially new in all of this. It is, as you say, a matter of collecting ALL the little pieces of information scattered around the forums, filtering the outdated posts etc... Like I said before, your (and dethegeek) post where very close to what I wanted to do. Just not quite.
    For me (I'm no expert), the hard part was getting winbind to work correctly.
    For example, winbind comes by default when you self-compile samba (which I almost always do). Apparently that's not the case if you install from repo. I didn't know this (noob mistake).
    Ah well, I for one, next time I don't remember how to do this, will know where to look (it will, then, be outdated, but still...)


    Best regards
    CAM

    • Offizieller Beitrag

    I need to clean the other thread and put in some other links and then pin it. Keep thinking I will get to it. sssd seems to be what works for me and I have done it many ways over the years. I am guessing people higher up are working to automate it more.


    My cold is getting worse so I am going to bed. I will add more tomorrow.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!